modified all and patched security vulnerability issue #333

docker/Dockerfile

@@ -23,19 +23,11 @@ ENV WGDASH=/opt/wireguarddashboard
 
 # Doing package management operations, such as upgrading
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    git \
-    iproute2 \
-    iptables \
-    iputils-ping \
-    openresolv \
-    procps \
-    python3 \
-    python3-pip \
-    python3-venv \
-    traceroute \
-    wireguard \
-    wireguard-tools \
+    curl git iproute2 \
+    iptables iputils-ping \
+    openresolv procps traceroute \
+    python3 python3-pip python3-venv \
+    wireguard wireguard-tools \
     sudo && \
     apt-get remove -y linux-image-* && \
     apt-get autoremove -y && \
@@ -55,18 +47,16 @@ VOLUME ${WGDASH}
 # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency.
 # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006.
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN wg genkey | tee /etc/wireguard/wg0_privatekey \
-  && echo "[Interface]" > /setup/conf/wg0.conf \
+RUN echo "[Interface]" > /setup/conf/wg0.conf \
   && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \
-  && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \
+  && echo "PrivateKey ="  >> /setup/conf/wg0.conf \
   && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
   && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
   && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
   && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
   && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \
   && echo "SaveConfig = true" >> /setup/conf/wg0.conf \
-  && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \
-  && rm /etc/wireguard/wg0_privatekey
+  && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf
 
 # Defining a way for Docker to check the health of the container. In this case: checking the login URL.
 HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \

docker/README.md

@@ -76,7 +76,7 @@ So go to the assign TCP port in this case HTTP, like the default 10086 one in th
 | tz             | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. |
 | global_dns     | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability.
 | enable         | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'.
-| isolate        | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package).
+| isolate        | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=none` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package).
 | public_ip      | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network.
 
 ## Be careful with:

docker/compose.yaml

@@ -1,6 +1,6 @@
 services:
   wireguard-dashboard:
-    image: dselen/wgdashboard:latest
+    image: dselen/wgdashboard:dev
     restart: unless-stopped
     container_name: wgdashboard
     environment:

docker/entrypoint.sh

@@ -26,8 +26,14 @@ ensure_installation() {
   if [ ! -f "/etc/wireguard/wg0.conf" ]; then
     echo "Standard wg0 Configuration file not found, grabbing template."
     cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf"
+
+    echo "Setting a secure private key."
+    local privateKey=$(wg genkey)
+    sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
+    sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
+    echo "Done setting template."
   else
-    echo "Standard wg0 Configuration file found, using that."
+    echo "Existing wg0 configuration file found, using that."
   fi
 }
 
@@ -58,6 +64,11 @@ clean_up() {
   else
     echo "No pycaches found, continuing."
   fi
+
+  local logdir="${WGDASH}/src/log"
+  echo "Cleaning log directory."
+  rm ${logdir}/access_*.log ${logdir}/error_*.log
+  echo "Removed unneeded logs!"
 }
 
 #update_checker() {
@@ -135,17 +146,22 @@ start_core() {
 
   # Isolating the matches.
   for interface in "${do_isolate[@]}"; do
-    if [ -f "/etc/wireguard/${interface}.conf" ]; then
-      echo "Isolating interface:" $interface
-      upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
-      downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
-
-      if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
-        sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
-        sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
-      fi
+    if [ "$interface" = "none" ]; then
+      echo "Found: $interface, stopping isolation checking."
+      break
     else
-      echo "Configuration for $interface does not seem to exist, continuing."
+      if [ -f "/etc/wireguard/${interface}.conf" ]; then
+        echo "Isolating interface:" $interface
+        upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
+        downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
+
+        if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
+          sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
+          sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
+        fi
+      else
+        echo "Configuration for $interface does not seem to exist, continuing."
+      fi
     fi
   done
   
@@ -164,18 +180,23 @@ start_core() {
   IFS=',' read -r -a enable_array <<< "${enable}"
 
   for interface in "${enable_array[@]}"; do
-    echo "Enabling interface:" $interface
-    
-    local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf)
-    if [ $fileperms -eq 644 ]; then
-      echo "Configuration is world accessible, adjusting."
-      chmod 600 "/etc/wireguard/${interface}.conf"    
-    fi
-
-    if [ -f "/etc/wireguard/${interface}.conf" ]; then
-      wg-quick up $interface
+    if [ "$interface" = "none" ]; then
+      echo "Found: $interface, stopping enabling checking."
+      break
     else
-      echo "No corresponding configuration file found for $interface doing nothing."
+      echo "Enabling interface:" $interface
+      
+      local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf)
+      if [ $fileperms -eq 644 ]; then
+        echo "Configuration is world accessible, adjusting."
+        chmod 600 "/etc/wireguard/${interface}.conf"    
+      fi
+
+      if [ -f "/etc/wireguard/${interface}.conf" ]; then
+        wg-quick up $interface
+      else
+        echo "No corresponding configuration file found for $interface doing nothing."
+      fi
     fi
   done
 }